A Guide to Zoom Recording GDPR Compliance

Otter
July 8, 2026
7 min
In this article

Try Otter today

  • 300 monthly transcription minutes

  • 30 minutes per conversation

  • 3 audio or video file imports

Try Otter for enterprise today

  • Industry leading transcription

  • Advanced AI Chat

  • Custom integrations & workflows

Share this post
Update
Otter has transformed with Otter Meeting Agents

Intelligent, voice-activated, meeting agents that directly participate in meetings answering questions and completing tasks - to make capturing, understanding, and acting on conversations effortless. Learn more about what’s new here.

Learn more

Last updated: June 2026. This article provides general information only. For guidance specific to your organization and jurisdiction, consult qualified data protection counsel.

Hitting record on a Zoom call with EU or UK participants pulls you straight into GDPR territory. A recording of identifiable people is personal data, which means you need a lawful basis to capture it, you have to tell people before the call, and you have to manage the file under a retention schedule once it ends.

Most teams treat recording as a convenience feature. GDPR treats it as processing, with obligations that apply from the moment the recording starts and that go beyond general call recording laws. The rest of this article covers the lawful basis question, consent mechanics, participant rights, storage and retention, and a workflow you can apply per meeting type.

The Short on Time Version

  • Recording Zoom calls with EU participants can be GDPR compliant, but only if you identify a lawful basis, tell people before you record, and manage the file responsibly afterward.
  • You need a lawful basis before recording. Two commonly relevant bases are consent and legitimate interests, and the right choice depends on context, especially in employer/employee settings.
  • Recordings are personal data, so participants keep their data-subject rights, including access and erasure.
  • Recordings need a defined retention period, secure storage with encryption and access controls, and a processor agreement with any tool such as Otter.ai that handles the file.

What GDPR Means for Recording Zoom Meetings

Under GDPR, a meeting recording is personal data because it captures the voices and faces of identifiable individuals. Article 4(1) defines personal data as any information relating to an identified or identifiable natural person, and the same definition applies under UK GDPR. A Zoom recording fits that definition, whether it comes from a native Zoom transcription or a separate AI notetaker capturing the call.

The act of recording is itself regulated. Article 4(2) lists "recording" by name as a form of processing, so full GDPR obligations apply from the moment you press the button.

The organization that decides why and how to record, including who sees the file, is the data controller and is legally responsible for compliance. A platform that stores or processes the recording strictly on your instructions, without setting its own purpose, is a data processor under Article 4(8). The organization that determines the purpose and means of processing is the controller and carries the accountability under video surveillance guidance.

What Lawful Basis You Need to Record a Zoom Meeting

You need a lawful basis before recording begins, and two commonly relevant bases for meetings are consent and legitimate interests. You can record video conferencing sessions where you have a valid purpose that cannot be achieved using less intrusive methods, and you must record and justify your lawful basis for doing so.

Consent works when participants have genuine free choice. It struggles in employer/employee contexts. In an employment relationship, the power imbalance can make it "unlikely that the data subject is able to deny his/her employer consent" without fear of consequences. That makes consent "problematic" as a basis for processing employee data.

Legitimate interests is more flexible, but it asks more of you. A Legitimate Interests Assessment requires a purpose test, a necessity test, and a balancing test that weighs your interest against participants' rights. For example, a company can rely on legitimate interests to use helpline call recordings for staff training and real-time sales coaching.

This is why "record everything by default" is risky. The necessity test fails if written minutes would achieve the same purpose, and a blanket policy cannot assess each meeting type individually. No basis takes precedence, and the guidance is to "always use the one that is most appropriate to the circumstances." Document the basis you choose, and identify an additional condition before you start if recordings might capture special category data, such as health or trade union information.

How to Get Valid Permission to Record

When permission to record is your basis, it must be informed, specific, and freely given, and recorded participants must be told before recording starts. Article 4(11) defines consent as a freely given, specific, informed, and unambiguous indication of agreement, signaled by a clear affirmative action.

Start with a pre-meeting notice. Tell people the recording's purpose and retention period, and include that information in your privacy notice. Put advance notice in the calendar invitation or sales meeting agenda, and link to the policy that covers recording.

In-meeting disclosure on its own is not enough. The permission requires "a clear affirmative action (opt-in)," which means a verbal notice at the top of the call, without an active opt-in, does not constitute valid consent by itself. You also cannot rely on silence, pre-ticked boxes, or default settings.

Handle declining participants without detriment. People must be able to refuse permission without consequences. If someone declines, either do not record or let them join in a non-recorded format. If you need to record anyway, assess whether legitimate interests applies instead. These same consent requirements, freely given, specific, informed, opt-in, and withdrawable, apply equally to external clients and partners captured in the recording.

Otter provides a recording notice both before and during meetings. Understanding each layer helps you determine what's sufficient for your jurisdiction and where you may want to add additional safeguards.

What Participant Rights Apply to Recordings

Data-subject rights extend to recordings, including the right of access and the right to erasure. Because a recording is personal data, the people in it can ask for a copy or ask you to delete it.

For access requests, individuals can obtain a copy of their personal information. You must respond "without undue delay and at the latest within one month," with a possible two-month extension for complex requests. Recordings complicate this because they usually contain more than one person. Providing a copy could adversely affect the rights and freedoms of other data subjects in the material, so you have to weigh those competing rights before disclosing.

For deletion, Article 17 gives individuals the right to erasure in defined circumstances, with exemptions such as processing needed for legal claims. Retention interacts directly with these rights. Where a recording sits past its justified retention period, there is no longer a lawful basis to keep it, which engages the right to erasure. Where a legitimate retention period is still active, that can override an erasure request. If a recording has already been deleted under your policy when a request arrives, the right of access does not apply to data you no longer hold.

How to Store and Retain Zoom Recordings Under GDPR

Recordings need a defined retention period and secure, access-controlled storage. GDPR does not set a fixed timeframe. Article 5(1)(e) requires you to keep personal data no longer than is necessary, and you must not hold data indefinitely just in case. Set a retention policy with standard periods you can justify. For a reference point, workplace call recordings are benchmarked at a maximum of six months absent a specific justification, though you must determine your own period. For broader background, see this guide to GDPR call recording.

For Zoom specifically, configure the "Auto delete cloud recordings after days" setting, or any equivalent retention control available in your account, so cloud recordings follow your documented retention schedule. Set and enforce your own GDPR-compliant retention period instead of leaving platform defaults in place.

Security measures must be built into storage and sharing. Article 32 requires appropriate measures including encryption and the ability to maintain confidentiality and integrity. Apply role-based access controls, encrypt recordings at rest and in transit, and avoid uncontrolled sharing over email or chat.

Any tool that handles the recording on your behalf needs an Article 28 processor agreement specifying the type of data, object, and purpose of processing. If that processor uses sub-processors, the same obligations flow down, and the original processor stays fully liable to you.

Otter provides indispensable value through its custom data retention feature. Organizations have full control over how long a conversation remains in the Workspace. Once an admin sets a custom duration, all conversations created by users in the Workspace will be automatically deleted once the duration has been met. Deleted conversations will not be accessible by any user in the Workspace. 

How to Build a GDPR-Compliant Recording Workflow

Use the same repeatable workflow for each recorded meeting, so nothing depends on whoever happens to click record. Building this into your broader AI policy and enterprise AI governance program helps prevent shadow AI risks from uncontrolled recording tools.

Use this sequence for the best results:

  • Establish and document the lawful basis before recording. Decide per meeting type whether consent or legitimate interests applies, run an LIA if you rely on legitimate interests, and check for any Article 9 special category triggers. Keep documented evidence of these decisions as part of your accountability records.
  • Give pre-meeting notice and confirm consent where needed. Explain why you are recording, how long you will keep it, who can access it, and how participants exercise their rights.
  • Screen for a DPIA. A DPIA is a legal requirement before high-risk processing, including systematic monitoring or biometric processing applied to recordings.
  • Apply access controls and encryption. Limit who can open recordings, log access, and keep storage secure under Articles 5 and 32.
  • Automate retention and deletion. Use a disposal and deletion process to avoid retaining data too long and breaching Article 5(1)(e). Automated deletion enforces your schedule.
  • Maintain an audit trail. Article 30 records of processing, consent records, and access logs prove what you did and why.

You remain responsible for the decisions as the controller. Platform features only help you execute them. Otter helps build a workflow with all these steps build in for the users. 

How Otter Supports Compliant Meeting Recording

A compliant workflow is easier to run when the tool capturing your conversations gives administrators real control over recording, access, and retention. Otter is an AI notetaker and Conversation Intelligence Platform that captures meetings, organizes what was said, and turns it into structured meeting intelligence your team can use, with admin controls built for governance instead of ad hoc cleanup.

Otter is SOC 2 Type II certified, and its Trust Center lists GDPR and CCPA among its compliance credentials. Data is stored on AWS with Amazon S3 server-side AES-256 encryption. Enterprise plans add HIPAA compliance, SAML-based single sign-on via Microsoft Entra ID (formerly Azure AD), and SCIM directory sync.

Otter's Enterprise admin controls map directly onto the workflow steps above. Administrators can set a custom data retention policy to enforce deletion on a schedule, require pre-meeting recording notifications so participants are told before capture begins, control sharing and export permissions, manage centralized conversation records with access controls, and pull activity logs for an audit trail. The Enterprise Model Context Protocol (MCP) server lets approved external AI models query meeting data through a governed, bidirectional connection instead of ungoverned exports.

Strategic management consulting firm Stax shows what this kind of governance looks like day to day. Before adopting Otter Enterprise, Stax employees had been creating personal Otter accounts on their own. That meant confidential client information was scattered across uncontrolled subscriptions and disappeared with staff when they left the firm. Moving to Otter Enterprise gave IT leader Miguel Patino centralized control over subscriptions and data, eliminating rogue accounts and keeping confidential client material within a managed, governed repository. The data security and compliance concerns that ad hoc adoption had created were resolved, and the same enterprise governance now covers internal meetings, vendor calls, and developer conversations alongside client engagements.

For EU data residency, Otter stores data in the AWS US West region, so organizations with strict residency requirements can assess that against their GDPR obligations and review Otter's processor agreement and transfer mechanism documentation.

For more context on the policy side, see related guidance on building a corporate AI policy and a knowledge management strategy that includes meeting recordings.

Conclusion

GDPR compliance for Zoom recordings comes down to five things: a documented lawful basis, clear notice before you record, secure and access-controlled storage, an enforced retention schedule, and an audit trail that proves your decisions. Tools like Otter include features such as admin controls and retention management that perfectly fit your recording workflow and help with compliance. Get a demo to learn more.

This article provides general information only. Consult qualified data protection counsel for guidance specific to your jurisdiction and circumstances.

Frequently Asked Questions About Zoom Recording GDPR

Is it legal to record someone without their consent? 

Recording without consent can be lawful under GDPR when another valid basis applies, such as legitimate interests or contractual necessity. Transparency is always required regardless: individuals must be informed before recording begins, and secret recordings without notice are not compliant.

Do you need consent to record a meeting? 

Consent is one of six lawful bases. You can rely on another basis, such as legitimate interests with a completed balancing assessment, if you identify and document it before recording.

What is GDPR consent? 

Under Article 4(11), consent is a freely given, specific, informed, and unambiguous indication of agreement, signaled by a clear affirmative action. It must not be bundled or coerced, and it can be withdrawn at any time, after which processing must stop.

How long can you keep Zoom recordings under GDPR? 

GDPR sets no fixed period. The storage limitation principle requires you to keep recordings only as long as necessary for the purpose you collected them for, then delete or anonymize them. Define and document your own retention period, and configure Zoom's auto-delete setting or other retention controls to enforce it instead of leaving platform defaults in place.

What Type of Data is Deleted by Otter? 

All data associated with the conversation will be deleted if a retention period is set for the full conversation:

  • Transcript
  • Audio/Video
  • Summary* 
  • Action Item(s)
  • Outline
  • Highlight(s)
  • Comment(s)
  • Image(s)
  • Insight(s)
  • Generated meeting template content within that conversation
  • Speaker tags within that conversation

*cannot be regenerated if the transcript is deleted